The Benefits of DevOps for SAP on AWS

Discover how AWS DevOps practices tailored for SAP can revolutionize your automation processes, streamline delivery, and enhance collaboration between development and operations teams.

To enhance the automation of activities, reduce the lead times for fixes, and achieve faster delivery, you can implement AWS DevOps practices tailored for SAP. AWS offers an extensive array of services and tools for this purpose. The following figure shows the comprehensive DevOps suite available on AWS, which can govern the speed and quality of developing automation products and services for SAP.

DevOps versus Automation

Are you puzzled by the sudden shift in terminology from automation to DevOps? This post delves into the governance aspects of developing automation artifacts. Let’s clearly distinguish between the two: DevOps is a comprehensive practice aimed at enhancing collaboration between your development and operations teams. It encompasses various methodologies, including automation, which is a subset of DevOps. Automation specifically uses technology to minimize human intervention in tasks, particularly to expedite operational processes. On the other hand, DevOps encompasses all aspects of development and operations, addressing broader business and technological requirements.

In this blog post, we examine the elements and components shown in the figure above. We’ll focus on establishing CI/CD pipelines with AWS native services and understanding the importance of the AWS Service Catalog for securely managing access to automation artifacts for end users. Additionally, we’ll discuss the use of the Amazon EC2 Image Builder service and highlight IAM best practices to ensure secure and robust automation activities.

Continuous Integration/Continuous Deployment Pipeline

As shown on the left, we have a CI/CD pipeline to facilitate the development, testing, and deployment of automation artifacts on AWS. Developers can utilize their preferred IDEs in a distributed environment to craft automation code, subsequently committing their changes to a version control system like AWS CodeCommit. This service enables teams to collaborate on code efficiently and securely in a fully managed environment. To learn more about the features and use cases and how to set up AWS CodeCommit, visit https://aws.amazon.com/codecommit/.

Post-development, AWS CodeBuild amalgamates all dependencies and libraries to construct a finished package. This service also offers a controlled testing environment to ensure the product meets its intended objectives. For detailed instructions on using AWS CodeBuild, visit https://aws.amazon.com/codebuild/.

Subsequently, AWS CodeDeploy enables deployment in a staging area or the publication of the final product as a community artifact within the AWS Service Catalog. With AWS CodeDeploy, you can automate software deployments to various compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premise servers. AWS CodeDeploy is designed to make deployments safer and to release new features rapidly. Refer to https://aws.amazon.com/codedeploy/ for more on AWS CodeDeploy’s capabilities and deployment methods and how to integrate it into your CI/CD pipeline.

You can orchestrate the entire CI/CD pipeline from a single place using the AWS Code- Pipeline service. This service automates your release pipelines for fast and reliable application updates. AWS CodePipeline builds, tests, and deploys your code every time a code change occurs, based on the release process models you define. To dive deeper into setting up and managing a pipeline, refer to https://aws.amazon.com/codepipeline/.

Additionally, you can employ AWS Cloud Development Kit (CDK) or AWS Serverless Application Model (SAM) to generate deployable AWS CloudFormation templates for inclusion in the AWS Service Catalog. AWS CDK provides you with an open-source software development framework to model and provision your cloud application resources using familiar programming languages. Documentation for AWS CDK can be found at https://aws.amazon.com/cdk/. On the other hand, AWS SAM is an opensource framework specifically designed for building serverless applications on AWS. AWS SAM simplifies the process of defining, deploying, and managing serverless applications by providing a shorthand syntax for expressing serverless resources and their event sources. It’s built on AWS CloudFormation, which means you can take advantage of AWS CloudFormation’s features and benefits for deployment and management while working with serverless architectures.

AWS Service Catalog

With an established catalog of approved resources in the AWS Service Catalog, departments can provision the necessary resources via a self-service portal governed by IAM authorization. This capability allows IT teams to monitor and regulate usage to ensure compliance and to streamline the provisioning process. Through the AWS Service Catalog, organizations can enforce robust governance while enabling departments to promptly and efficiently provision the required AWS resources, thus enhancing autonomy and reducing the administrative burden on central IT.

Some uses for AWS Service Catalog include the following:

• Standardization: Helps in standardizing the AWS infrastructure and services to comply with organizational policies.
• Self-service portal: Provides a self-service portal for users to deploy AWS resources without having in-depth knowledge of AWS services.
• Governance: Allows administrators to apply governance and compliance rules to AWS resources.
• Cost management: Helps in managing costs by controlling the provisioning of resources.
• Controlled environment: Ensures a controlled environment by allowing only approved resources for provisioning.
• Auditability: Provides an audit trail of who requested what service, when, and the configurations they used.
• Consistency: Ensures consistency in the provisioning of AWS resources by enforcing standardized templates.

AWS EC2 Image Builder

Amazon EC2 Image Builder is a service designed to automate the creation, management, and deployment of customized Amazon EC2 machine images (AMIs) for various applications, including SAP systems on AWS. A use case for SAP would involve automating the creation of AMIs with preinstalled SAP software and configurations aligned with SAP best practices. This capability ensures that the underlying compute instances are optimized for SAP workloads, providing a standardized and repeatable process for SAP environment provisioning and maintenance, which enhances scalability and operational efficiency. For more in-depth information, visit http://s-prs.co/v577694.

Amazon EC2 Image Builder utilizes AWS Task Orchestrator and Executor (AWS TOE) for executing complex workflows in the image creation process, including software installation, configuration, and testing. Workflows are defined in a YAML document, which directs AWS TOE to execute specified tasks. These tasks can include embedded OS shell commands or calls to external scripts hosted locally or on Amazon S3. Additionally, AWS TOE can integrate with AWS Systems Manager to install packages via the AWS Systems Manager Distributor, and it can also implement Center for Internet Security (CIS) and Security Technical Implementation Guides (STIGs) hardening components into its image building workflow. For more details, visit http://s-prs.co/v577695.

Authorization Management

Automation is beneficial when implemented in a controlled and secure manner; otherwise, it can cause havoc in an IT environment. It’s essential to have a solid authorization framework before automating operations, including establishing permission controls to handle critical application assets safely. Actions on AWS are managed through IAM and resource policies to ensure access and modification rights are reserved for authorized users and systems. For a comprehensive guide on IAM best practices, visit http://s-prs.co/v577696.

In addition to following IAM best practices, consider adopting some additional measures to protect your AWS resources further, such as the following:

• Segregation of duties: Create distinct automation processes for creating, updating, and deleting AWS resources by assigning specific authorization controls to various individuals. Control the deletion process by allocating the tasks of enabling and disabling “deletion protection” to different principals. This approach ensures that only intended resources are deleted during cleanup activities. Additionally, segment the deletion process into three stages to guarantee the phased deletion of critical resources. For instance, delete infrastructure components initially, followed by data and storage assets, and finally assess backup assets to confirm the correct resource deletion. Integrate these stages into additional approval workflows, scheduling them at separate times to allow adequate response time for unforeseen outcomes.
• Attribute-based access controls (ABAC): Utilize resource tags, maintenance windows, and IAM condition keys to grant specific, time-bound access for principals to execute changes via automation. More details on ABAC can be found in the AWS IAM User Guide at http://s-prs.co/v577697.
• Additional data controls: Incorporate extra data controls such as application passwords, process parameter inputs, program status keys, encryption/decryption keys, and vital activity repository objects. Manage these controls using AWS services like AWS Secrets Manager, AWS Systems Manager Parameter Store, Amazon DynamoDB, AWS Key Management Service (KMS) keys, and Amazon S3. These controls should be separate from the main IAM roles or resource policies that authorize specific automation activities to enhance the security of permission administration for automation tasks.

Editor’s note: This post has been adapted from a section of the book SAP on AWS: Architecture, Migration, and Operation by Ravi Kashyap, Rajendra Narikimelli, and Rozal Singh.